‘Tis the season for email fraud – so don’t open the wrong package

Everyone loves a gift, but many appealing-looking emails turn out to be lumps of coal

Like clockwork, the end of the year marks the winding down of the Australian business year and the start of the silly season. Black Friday and Cyber Monday shopping events are encouraging Australians to get their credit cards out, and stores’ end of year sales are on the way. Yet another group is also getting busier – with often devastating results.

The end-of-year shopping and gift-giving season is a boon for cybercriminals that see it as the perfect time to steal personal information that facilitates financial theft. They’re busy crafting techniques to entice users into accidentally installing malware, handing over personal credit card or other confidential details, or even compromising their mobiles with malware that subsequently steals their banking details.

Reported figures are certain to be just a fraction of the total volumes – which are sure to rise as the volume of deceptive phishing emails surges in the pre-holiday rush and post-holiday shopping season. The Australian launch of Amazon.com could exacerbate the situation, providing even stronger interest in online shopping and new fraud vectors for email phishers.

A recent analysis from digital ID verification firm Jumio suggested that financial-services ID fraud grew nearly 58 percent during last year’s Black Friday-Cyber Monday shopping weekend, and this year is expected to be no different.

With their well-established love of online shopping and the convenience of mobile devices – the latest PayPal mCommerce Index found that 72 percent of Australians shop on their mobiles – have exposed themselves as often all-too-willing targets for cybercriminals.

Finding the right lure. In most cases, such incidents start with a simple email. Professing to relate to a package delivery or recent purchase, the mail may incorporate an authentic-looking design and logo and create a sense of urgency by implying that there was some problem with a recent purchase, or that a bill is past due.

Such phishing attacks prey on the fact that customers are expecting packages: emails emulating local postal services have proven to be hugely effective. Notices from banks are another popular phishing lure, as are fake utility bills; there’s nothing so quick to limit your holiday spending, after all, as finding a big bill competing for your shopping dollar.

Another popular lure is the emulation of cloud-storage services for sending large documents. These tricks pose a particular threat during the holiday season when few would be surprised to have family members or colleagues using services like WeTransfer, DropSend, OneDrive, Dropbox, and Google Drive to share photos from family gatherings or work functions.

Scammers may tailor these messages in smaller campaigns, of just a few hundred messages, that are shaped using information obtained through social engineering. This might include the name and email address of a relative or work colleague, information about a recent holiday, or details about a person’s hobbies or community associations. Such information provides a veneer of legitimacy that tricks far too many Australians into clicking on phishing email attachments or URLs within minutes of receiving them.

The result is a security headache for company security administrators: in one recent PhishMe survey, 21 percent of respondents said they received over 1000 suspicious email reports every week – and 65 percent said they had had to deal with a security incident originating with a deceptive email.

You’d better watch out, you’d better not WannaCry. Given these figures, corporate security administrators can be forgiven for dreading the holiday season. Many employees shop online during their lunch hour and may lower their mental defenses in the interest of completing their purchases quickly.

In the worst-case scenario, clicking in the wrong place will install malware and ransomware – potentially corrupting not only their own computers but those on the network at their workplace. This can cause massive problems for the company, as those hit worst by this year’s WannaCry ransomware found out when losses soared into the billions.

Warnings about such incidents may seem overblown to employees who are just trying to get their Christmas shopping done, but that’s exactly what cybercriminals want. By shaping their email confidence games to slip past Australians’ natural defenses, too many cybercriminals will steal financial or personal data to put this year’s best gifts under their own trees.

There are ways to avoid getting taken in – and installing a robust email filtering solution is only the beginning. In the leadup to the holiday shopping season, every corporate IT manager should be reminding employees to be careful what they click on a daily basis – whether at work, on the train, or at home. Key advice includes:

Pay attention! It’s really that simple. It doesn’t take a technical mastermind to carry-out a hack – a cyber attacker just needs to access basic data, usually available to the public online.

If it seems suspicious, it probably is. If you receive an email that contains tracking information from a postal service, but you aren’t expecting a shipment, stop. Don’t click the tracking URL because it’s really a malicious link disguised as something familiar. The same goes for emails containing attachments – these could contain malicious code.

Everyone’s a target – but some have a public bullseye. If you work in human resources, sales or communications, for example, it’s likely your name and contact information are listed on the company’s website. If this is the case, you need to be extra vigilant when it comes to practicing good security.

Think before you share. Here’s a wakeup call for you: Cyberattacks are not random. They are well-researched and usually architected using the information you share online. Personal details like where you work, job title, who you’re friends with and what you’re doing, when, are plastered all over social media sites like LinkedIn and Facebook. Hackers research these sites to gather intel on unsuspecting victims – this is called Social Engineering.

Don’t be a follower. If you receive an email from a bank or financial institution requesting your credentials, don’t click the link – it could be malicious. Even if the email is branded with what look like legitimate logos and fonts, it could be a scam. Instead, type in the actual website address, verify the secure connection using “HTTPS” then provide your details in a legitimate, secure environment.

Keep these tips in mind this holiday season to keep your inbox safe and your data secure.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox